npm - pompelmi - Versions diffs - 0.35.3 → 0.35.4 - Mend

pompelmi 0.35.3 → 0.35.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/README.md +87 -88
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -1,54 +1,65 @@
 <div align="center">
-  <img src="./assets/logo.svg" alt="Pompelmi logo" width="144" />
+  <img src="./assets/logo.svg" alt="Pompelmi logo" width="120" />
   <h1>Pompelmi</h1>
-  <p><strong>Route-level upload security for Node.js.</strong></p>
-  <p>Inspect untrusted uploads before storage.</p>
+  <p><strong>Secure file uploads in Node.js before storage.</strong></p>
   <p>
-    MIME and extension spoofing · archive abuse · risky document and binary
-    signals · optional YARA
+    Open-source route-level upload security for Node.js teams that need to
+    inspect untrusted files before disk, object storage, previews, or
+    downstream parsers.
   </p>
   <p><code>clean</code> · <code>suspicious</code> · <code>malicious</code></p>
   <p>
-    <sub>Express · Next.js · NestJS · Fastify · Koa · Nuxt/Nitro · S3 quarantine flows · CI/CD</sub>
+    MIME spoofing · risky archives · document and binary signals · optional
+    YARA
   </p>
-  <p><sub>Open-source core · MIT · Node.js 18+</sub></p>
+  <p>
+    <sub>Express · Next.js · NestJS · Fastify · Koa · Nuxt/Nitro · S3 quarantine flows · CI/CD</sub>
+  </p>
   <p>
     <a href="https://www.npmjs.com/package/pompelmi"><img alt="npm version" src="https://img.shields.io/npm/v/pompelmi" /></a>
     <a href="https://github.com/pompelmi/pompelmi/actions/workflows/ci.yml"><img alt="CI" src="https://img.shields.io/github/actions/workflow/status/pompelmi/pompelmi/ci.yml?label=ci" /></a>
     <a href="https://codecov.io/gh/pompelmi/pompelmi"><img alt="codecov" src="https://codecov.io/gh/pompelmi/pompelmi/graph/badge.svg" /></a>
     <a href="https://github.com/pompelmi/pompelmi/stargazers"><img alt="GitHub stars" src="https://img.shields.io/github/stars/pompelmi/pompelmi?style=social" /></a>
-    <a href="https://www.npmjs.com/package/pompelmi"><img alt="npm weekly downloads" src="https://img.shields.io/npm/dw/pompelmi" /></a>
-    <a href="https://www.npmjs.com/package/pompelmi"><img alt="npm monthly downloads" src="https://img.shields.io/npm/dm/pompelmi" /></a>
   </p>
   <p>
-    <a href="https://pompelmi.github.io/pompelmi/getting-started/"><strong>Getting started</strong></a>
+    <a href="https://pompelmi.app/"><strong>Docs</strong></a>
+    ·
+    <a href="https://pompelmi.app/getting-started/"><strong>Getting started</strong></a>
     ·
-    <a href="https://pompelmi.github.io/pompelmi/#browser-preview"><strong>Browser preview</strong></a>
+    <a href="https://pompelmi.app/#browser-preview"><strong>Browser preview</strong></a>
     ·
     <a href="./examples/demo"><strong>Express demo</strong></a>
     ·
     <a href="./examples/README.md"><strong>Examples</strong></a>
   </p>
+  <p><sub>Node.js 18+ · MIT</sub></p>
 </div>
 <p align="center">
-  Mentioned by <a href="https://nodeweekly.com/issues/594">Node Weekly</a>,
+  <strong>Mentioned by</strong>
+  <a href="https://nodeweekly.com/issues/594">Node Weekly</a>,
   <a href="https://stackoverflow.blog/2026/02/23/defense-against-uploads-oss-file-scanner-pompelmi/">Stack Overflow</a>,
   <a href="https://www.helpnetsecurity.com/2026/02/02/pompelmi-open-source-secure-file-upload-scanning-node-js/">Help Net Security</a>,
   <a href="https://github.com/sorrycc/awesome-javascript">Awesome JavaScript</a>,
   and
-  <a href="https://github.com/dzharii/awesome-typescript">Awesome TypeScript</a>.
+  <a href="https://github.com/dzharii/awesome-typescript">Awesome TypeScript</a>
 </p>
+<p align="center">
+  <sub>If you want upload security to start at the route boundary instead of after storage, consider starring the repo.</sub>
+</p>
+> Upload endpoints are part of your attack surface. Pompelmi helps Node.js teams scan files before storage and make the decision while the route still has context: accept, quarantine, or reject.
 ## Quick Start
 Install the core package:
@@ -57,7 +68,7 @@ Install the core package:
 npm install pompelmi
 ```
-Minimal route-level example:
+This is the core pattern: inspect bytes, get a verdict, and only store clean files.
 ```ts
 import { scanBytes, STRICT_PUBLIC_UPLOAD } from 'pompelmi';
@@ -80,104 +91,92 @@ if (report.verdict !== 'clean') {
 return res.status(200).json({ verdict: report.verdict });
 ```
-Start with [Getting started](https://pompelmi.github.io/pompelmi/getting-started/) for a local scan in under a minute, open the [browser preview](https://pompelmi.github.io/pompelmi/#browser-preview) to inspect the verdict flow without sending files anywhere, or run the minimal [Express demo](./examples/demo).
-If Pompelmi matches how you want upload security to work, star the repo so more Node.js teams can find it.
+Start with [Getting started](https://pompelmi.app/getting-started/) for a local scan in under a minute, open the [browser preview](https://pompelmi.app/#browser-preview) to inspect the verdict flow without sending files anywhere, or run the minimal [Express demo](./examples/demo).
-## Why It Exists
+## Why teams use Pompelmi
-Upload endpoints are part of your attack surface. A file can look harmless at the form layer and become dangerous only after storage, extraction, rendering, or downstream parsing.
+- File upload endpoints are not just form validation. Files can become risky after storage, extraction, rendering, or downstream parsing.
+- Pompelmi keeps the first trust decision inside the application path, where the route still knows the file class, trust level, storage path, and failure mode.
+- It gives Node.js teams a practical way to build secure file uploads with route-level decisions instead of bolting checks on after persistence.
-Pompelmi keeps the first decision inside the application path, where the route still knows the file class, trust level, storage path, and failure mode.
+## What it checks
-## What It Checks
+- MIME sniffing, magic-byte validation, and extension mismatch detection
+- Risky archives such as ZIP bombs, traversal attempts, deep nesting, and entry-count abuse
+- Risky document and binary signals such as PDF actions, Office macro hints, PE headers, and polyglot files
+- Optional YARA-based matches when you want malware scanning uploads as part of the flow
+- Verdicts and reasons you can use for fail-closed routes, quarantine flows, and auditability
-- MIME sniffing, magic-byte validation, and extension allowlists
-- risky archive structures such as traversal, deep nesting, entry-count abuse, and ZIP bomb-style expansion
-- suspicious document and binary signals such as risky PDF actions, Office macro hints, PE headers, and polyglot files
-- optional YARA or other scanner matches
-- route-level verdicts that support reject, quarantine, or promote workflows
+## Where it fits in the upload pipeline
-## Where It Fits
+1. Receive the upload into memory or an isolated staging or quarantine area.
+2. Scan the bytes with a route policy.
+3. Act on the verdict: `clean`, `suspicious`, or `malicious`.
+4. Persist, quarantine, or reject based on the route's rules.
-- public or semi-trusted upload endpoints that should inspect first and store later
-- memory-backed multipart routes in Express, Next.js, NestJS, Fastify, and Koa
-- quarantine and promotion workflows for S3 or other object storage
-- document, image, and archive routes that need different policies
-- CI/CD or internal artifact scanning before promotion
+That inspect-first, store-later shape is where Pompelmi is strongest.
-## Why Not Just X?
+## What it is and isn't
 | Approach | Useful for | What it misses |
 | --- | --- | --- |
-| Browser MIME and extension checks | Fast client-side hints and UX feedback | Filenames and client-reported MIME are easy to spoof |
-| Simple file-type or magic-byte checks | Confirming the file appears to be the claimed type | Risky internal structure, archive abuse, and route policy decisions |
-| Antivirus-only thinking | Known malicious matches and signature-based detection | Route context, spoofing checks, storage decisions, and non-signature risk signals |
-| Pompelmi at the upload route | Inspect-first, store-later decisions with policy, structure checks, and optional YARA | It is not a full antivirus replacement on its own |
-## Integrations
-- Express: [Docs](https://pompelmi.github.io/pompelmi/how-to/express/) · [Minimal example](./examples/express-minimal) · [Demo](./examples/demo)
-- Next.js: [Docs](https://pompelmi.github.io/pompelmi/how-to/nextjs/) · [Example](./examples/next-app-router)
-- NestJS: [Docs](https://pompelmi.github.io/pompelmi/how-to/nestjs/) · [Example app](./examples/nestjs-app)
-- Fastify: [Docs](https://pompelmi.github.io/pompelmi/how-to/fastify/) · [Package](./packages/fastify-plugin)
-- Koa: [Docs](https://pompelmi.github.io/pompelmi/how-to/koa/) · [Package](./packages/koa-middleware)
-- Nuxt/Nitro: [Docs](https://pompelmi.github.io/pompelmi/how-to/nuxt-nitro/)
-- S3 / object storage: [Tutorial](https://pompelmi.github.io/pompelmi/tutorials/secure-s3-presigned-uploads-with-malware-scanning/) · [Use case](https://pompelmi.github.io/pompelmi/use-cases/s3-presigned-upload-security/)
-- CI/CD: [Use case](https://pompelmi.github.io/pompelmi/use-cases/cicd-artifact-scanning/) · [Blog](https://pompelmi.github.io/pompelmi/blog/cicd-scan-build-artifacts/)
-## Demo, Preview, and Examples
+| Browser MIME and extension checks | Fast client-side hints and UX feedback | Client MIME and filenames are easy to spoof |
+| File-type or magic-byte validation only | Confirming a file looks like the claimed type | Archive abuse, risky internal structure, and route policy decisions |
+| Antivirus or YARA only | Known malicious matches and signature-style detection | Route context, spoofing checks, and before-storage handling |
+| Pompelmi at the upload route | Node.js file upload security, scan files before storage, and verdict-driven workflow decisions | It is not a full antivirus replacement on its own |
+## Supported frameworks and workflows
+| Stack or workflow | Links |
+| --- | --- |
+| Express | [Docs](https://pompelmi.app/how-to/express/) · [Minimal example](./examples/express-minimal) · [Demo](./examples/demo) |
+| Next.js | [Docs](https://pompelmi.app/how-to/nextjs/) · [Example](./examples/next-app-router) · [Package](./packages/next-upload) |
+| NestJS | [Docs](https://pompelmi.app/how-to/nestjs/) · [Package](./packages/nestjs) · [Example app](./examples/nestjs-app) |
+| Fastify | [Docs](https://pompelmi.app/how-to/fastify/) · [Package](./packages/fastify-plugin) |
+| Koa | [Docs](https://pompelmi.app/how-to/koa/) · [Package](./packages/koa-middleware) |
+| Nuxt/Nitro | [Docs](https://pompelmi.app/how-to/nuxt-nitro/) · [Example](./examples/nuxt-nitro) |
+| S3 / object storage | [Tutorial](https://pompelmi.app/tutorials/secure-s3-presigned-uploads-with-malware-scanning/) · [Use case](https://pompelmi.app/use-cases/object-storage-promotion-workflows/) |
+| CI/CD | [Use case](https://pompelmi.app/use-cases/cicd-artifact-scanning/) · [Blog](https://pompelmi.app/blog/cicd-scan-build-artifacts/) |
+## Demo, preview, and examples
 ![Pompelmi upload security demo](assets/malware-detection-node-demo.gif)
-- [Browser preview](https://pompelmi.github.io/pompelmi/#browser-preview) for a fast local evaluation of the verdict UX
-- [Demo](./examples/demo) for a tiny Express upload gate that returns `clean`, `suspicious`, or `malicious` before storage
-- [Examples index](./examples/README.md) for framework-specific and production-oriented examples
-## Docs
+- [Browser preview](https://pompelmi.app/#browser-preview) for a fast local look at the verdict UX without uploading files anywhere
+- [Express demo](./examples/demo) for a tiny upload gate that returns `clean`, `suspicious`, or `malicious` before storage
+- [Examples index](./examples/README.md) for framework-specific and production-oriented patterns
+- [Docs home](https://pompelmi.app/) for guides, comparisons, use cases, and tutorials
-- [Docs home](https://pompelmi.github.io/pompelmi/)
-- [Getting started](https://pompelmi.github.io/pompelmi/getting-started/)
-- [Use cases](https://pompelmi.github.io/pompelmi/use-cases/)
-- [Comparisons](https://pompelmi.github.io/pompelmi/comparisons/)
-- [Tutorials](https://pompelmi.github.io/pompelmi/tutorials/)
-- [Featured in](https://pompelmi.github.io/pompelmi/featured-in/)
-- [Translations](https://pompelmi.github.io/pompelmi/translations/)
+## Why star this repo
-## Enterprise and Commercial Support
-The MIT core remains the primary path. Teams that need private rollout help, architecture review, or policy tuning can use the existing [enterprise support path](https://pompelmi.github.io/pompelmi/enterprise/).
+Pompelmi is focused on a real gap in most Node.js stacks: secure file uploads that make a decision before storage, not after. If that matches how you want upload security to work, star the repo to follow the project and help more teams discover the inspect-before-storage model.
 <!-- MENTIONS:START -->
-## Featured In
-Full page: [pompelmi.github.io/pompelmi/featured-in](https://pompelmi.github.io/pompelmi/featured-in/)
-*Last updated: March 20, 2026*
+## Mentioned by
-### Awesome Lists & Curated Collections
+- [Node Weekly](https://nodeweekly.com/issues/594)
+- [Defense against uploads: Q&A with OSS file scanner, pompelmi](https://stackoverflow.blog/2026/02/23/defense-against-uploads-oss-file-scanner-pompelmi/) — Stack Overflow
+- [Pompelmi: Open-source secure file upload scanning for Node.js](https://www.helpnetsecurity.com/2026/02/02/pompelmi-open-source-secure-file-upload-scanning-node-js/) — Help Net Security
+- [Awesome JavaScript](https://github.com/sorrycc/awesome-javascript)
+- [Awesome TypeScript](https://github.com/dzharii/awesome-typescript)
+- [See all mentions](https://pompelmi.app/featured-in/)
-- [Awesome JavaScript](https://github.com/sorrycc/awesome-javascript) — sorrycc
-- [Awesome TypeScript](https://github.com/dzharii/awesome-typescript) — dzharii
-### Newsletters & Roundups
-- [The Overflow Issue 319: Dogfooding your SDLC](https://stackoverflow.blog/newsletter/issue-319-dogfooding-your-sdlc/) — Stack Overflow (2026-03-04)
-- [Hottest cybersecurity open-source tools of the month: February 2026](https://www.helpnetsecurity.com/2026/02/26/hottest-cybersecurity-open-source-tools-of-the-month-february-2026/) — Help Net Security (2026-02-26)
-- [Bytes #429](https://bytes.dev/archives/429) — Bytes (2025-10-03)
-- [Node Weekly Issue 594](https://nodeweekly.com/issues/594) — Node Weekly (2025-09-30)
-- [Det. Eng. Weekly Issue #124 - The DEFCON hangover is real](https://www.detectionengineering.net/p/det-eng-weekly-issue-124-the-defcon) — Detection Engineering (2025-08-13)
-### Other Mentions
+<!-- MENTIONS:END -->
-- [Defense against uploads: Q&A with OSS file scanner, pompelmi](https://stackoverflow.blog/2026/02/23/defense-against-uploads-oss-file-scanner-pompelmi/) — Stack Overflow (2026-02-23)
-- [Pompelmi: Open-source secure file upload scanning for Node.js](https://www.helpnetsecurity.com/2026/02/02/pompelmi-open-source-secure-file-upload-scanning-node-js/) — Help Net Security (2026-02-02)
+## Docs
+- [Getting started](https://pompelmi.app/getting-started/)
+- [Use cases](https://pompelmi.app/use-cases/)
+- [Comparisons](https://pompelmi.app/comparisons/)
+- [Tutorials](https://pompelmi.app/tutorials/)
+- [Browser preview](https://pompelmi.app/#browser-preview)
+- [Featured in](https://pompelmi.app/featured-in/)
+- [Translations](https://pompelmi.app/translations/)
-*Found 9 mentions. To update, run `npm run mentions:update`.*
+## Commercial support
-<!-- MENTIONS:END -->
+The MIT core remains the primary path. Teams that need private rollout help, architecture review, or policy tuning can use the existing [enterprise support path](https://pompelmi.app/enterprise/).
 ## Project

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "pompelmi",
-  "version": "0.35.3",
+  "version": "0.35.4",
   "description": "Inspect untrusted uploads before storage in Node.js. Open-source upload security with checks for spoofing, archive abuse, risky document and binary signals, and optional YARA.",
   "main": "./dist/pompelmi.cjs",
   "module": "./dist/pompelmi.esm.js",